Data Classification and Storage
Chapter 3433
Created February 14, 2025
Table of Contents
.010 Purpose
.020 Scope
.030 Definitions
.040 Policy
.050 Roles and Responsibilities
.060 Exception Process
.070 Policy Violations
.080 Periodic Review and Policy Updates
.090 Related Regulations and Laws
This Data Classification and Storage Policy establishes a structured framework for categorizing and managing the information handled by members of the University community. Implementing this classification system enhances the University community's capacity to effectively control access to institutional information, ensuring alignment with applicable federal, state, and local laws, regulations, rules and policies.
.010 Purpose
The purpose of the Data Classification and Storage Policy is to establish data classification guidelines and minimum requirements to be followed when identifying applicable data and to clarify the data classification responsibilities of Data Stewards, Data Custodians, Access Custodians and data users.
.020 Scope
This Policy applies to all individuals affiliated with the University, including faculty, staff, student workers, contractors, third-party service providers and other affiliates, who access or utilize University data, records or documents in paper or electronic formats. It applies to all data created, collected, stored, processed or transmitted using institutional resources, regardless of format. The Policy also extends to all Information Assets and Information Technology Resources within the University. Responsibilities outlined in this Policy apply to individuals or units responsible for stewardship or custodianship of information resources.
Users are required to abide by this Policy, and violations may lead to access restrictions, content removal, or disciplinary measures.
.030 Definitions
For clarity and to ensure a common understanding of terms used in this policy, please refer to the Glossary of Defined Terms which provides detailed definitions for all key concepts and terminology.
.040 Policy
Data classification is the categorization of data based on its level of sensitivity and the impact to the University should that data be disclosed, altered, or destroyed without authorization. Data classification determines what baseline security controls are appropriate for safeguarding that data.
All data created, collected, stored, or used by the University must be classified based on the sensitivity of the data. Data will be classified into one of four classification levels as described below. Appropriate controls to ensure the protection of the confidentiality, integrity, availability, and privacy of the data will be defined for each classification as described in the Security Management Policy as part of the University Information Security Program.
University data must be stored using technology that is appropriate for the classification of the data being stored. The University Information Security Program will provide data storage standards [insert link to Data Storage Standards] that identify approved University storage platforms and solutions and define the data types appropriate for each storage platform and solution. Data must not be stored on storage platforms and solutions that are not approved and documented in the Data Storage Standards. If data cannot be stored on an approved storage platform or solution, a documented exception to this policy is required, as described in the Exceptions Management Policy.
Data Classification
Categories
Public Data: Data should be classified as public when unauthorized disclosure, alteration, or destruction of that data would result in little or no risk to the university or its affiliates. Examples include, but are not limited to:
- Public job postings.
- Press releases.
- Course schedules.
- Public domain information.
Internal Only Data: Data should be classified as Internal Only when unauthorized disclosure, alteration, or destruction of that data could result in a moderate level of risk to the University or its affiliates. Examples include, but are not limited to:
- Internal directories.
- Standards relating to University Policy.
Sensitive Data: Data should be classified as sensitive when unauthorized disclosure, alteration, or destruction of that data could expose sensitive personal information relating to identifiable individuals. Examples include, but are not limited to:
- Employment data.
- Non-direct identifiers of individuals such as DOB, addresses, and personnel files.
- Restricted Data: Data should be classified as restricted when unauthorized disclosure, alteration, or destruction of that data could subject the University to legal and/or regulatory peril. Examples include, but are not limited to:
- Protected health information.
- Student financial information.
- Payment card information.
- Direct identifiers include student names, social security numbers, and passport numbers.
Classification of data: Classification of data should be performed by an appropriate Institutional Data Steward. See the Data Use policy for more information on the Institutional Data Steward role and associated responsibilities.
All data must be classified into one of four classifications in accordance with the framework outlined above. By default, data is classified as Internal Only. Institutional Data Stewards have the discretion to determine whether any piece or set of data can be reclassified as Public Data.
Aggregations of data must be classified based on the most restrictive classification requirements of any individual piece of information contained in the aggregate.
The use and storage of Restricted Data requires authorization from the appropriate Institutional Data Steward, application of applicable security controls, and access only for legitimate purposes.
If data is created in the course of business, the Institutional Data Steward for that data domain should be notified and the data classified by the Institutional Data Steward. If data is created jointly by more than one department or unit, the Institutional Data Stewards for all relevant data domains must collectively classify the data.
There are instances where data could be classified differently at different times. For example, Internal Only data may become Public over time. All individuals with access to University data must exercise good judgment in handling sensitive information and seek guidance from Institutional Data Stewards if they believe that data is misclassified or should be reclassified.
- Personnel Responsibilities
- Policy Oversight: The [insert role] at the University is charged with overseeing the most critical aspects of data management. This oversight includes the establishment of data definitions, the setting of classification standards, the enforcement of data management policies, and the maintenance of these policies over time. Designated administrative figures, such as Institutional Data Stewards, are tasked with ensuring that these critical components are managed efficiently and effectively, upholding the University's standards for data integrity and security. This framework of oversight and management ensures that the University remains at the forefront of data governance, providing a robust structure for the handling and protection of its valuable information resources.
- Conditions of Use by Role: Institutional Data Stewards are responsible for defining conditions of data use in line with university policy and standards in accordance with the Security Management Policy.The Institutional Data Steward’s role is to act with proper and appropriate levels of responsibility within a trust relationship regarding institutional data and is responsible for collaborating with the University Information Security Program in assuring that appropriate access control mechanisms are applied, and university policy is followed. Institutional Data Stewards are responsible for appropriately classifying data so that required security controls can be implemented.
- Data Custodians: Data Custodians are accountable for the oversight and general operation of institutional data systems that serve a broad section of the university community. It is the responsibility of the Data Custodians to provide direct authority and control over the management and use of institutional data in his/her area of responsibility regardless of which system in which the data resides. Data Custodians are accountable for assuring implementation of Procedures which align with the Standards set by the Institutional Data Stewards for each data domain.
- Data System Custodians: Data System Custodians are individuals who are operating at the ancillary system or application level, responsible for the direct system administration and management of a specific data solution by implementing Procedures defined by Data Custodians. Data System Custodians ensure that security controls are implemented properly on individual data systems, manage day-to-day system operations, and ensure that access control systems are operating as designed to allow only authorized users have access to system resources and data.
- Data Users: Data users include all individuals who interact with, utilize, or are impacted by data within the University.
- Prohibited Actions
- Inappropriate Data Changes: Data may not be altered for non-business purposes or without appropriate authorization.
- Unauthorized Use for Personal Gain: Information accessed may not be used for personal benefit or profit.
- Unauthorized Disclosure: Information about individuals should not be disclosed without authorization from the appropriate Institutional Data Steward.
- Administrative Voyeurism: Unauthorized tracking or exploration of sensitive data is prohibited unless authorized.
- Bypassing Access Restrictions: Users should not provide broader data access than authorized to other users.
- Password Sharing: Sharing passwords or compromising system integrity is strictly prohibited.
- Reporting and Addressing Suspected Violations
Anyone who suspects violations or oversights resulting in violations of this policy shall report the matter promptly to the Chief Information Officer (CIO) in accordance with the Incident Response Policy. Failure to report a suspected violation is a violation of this policy. After a suspected violation of this policy has been reported or discovered, the issue will be investigated promptly, and corrective actions will be taken as soon as possible to mitigate any harm to the university and its affiliates.
.050 Roles and Responsibilities
The Chief Information Officer is responsible for the implementation, oversight, and maintenance of this policy. The Vice President for Administration and Finance is responsible for the final approval of this policy.
Any questions about the contents of this policy or the applicability of this policy to a particular situation should be referred to the Chief Information Officer.
.060 Exceptions
Exceptions from this policy must be approved as described in the Security Exceptions Management Policy. Any questions about the contents of this policy or the applicability of this policy to a particular situation should be referred to the Office of the Chief Information Officer.
.070 Policy Violations
Failure to comply with university policies may result in the loss of computing privileges, restriction of the ability of devices to connect to or be used on university networks, and other disciplinary measures as defined in Disciplinary Policies and Procedures. Violations may lead to disciplinary actions, including discharge, dismissal, expulsion, legal actions and criminal investigation or prosecution.
.080 Periodic Review and Policy Updates
To ensure relevance and compliance with evolving regulatory, technological, and operational standards, this policy must undergo a comprehensive review at least annually in accordance with the requirements described in the Policy on Policies. During this review, necessary updates will be made to reflect any new legal requirements, organizational changes, or external factors impacting policy efficacy.
.090 Related Regulations and Laws
- State of Kansas, ITEC Information Technology Policy 7230 Enterprise Security Policy
- State of Kansas, ITEC Information Technology Standards & Guidelines 7230A IT Security Standards